Global Privacy & Cybersecurity Update Vol. 13

Jones Day

United States

Regulatory—Policy, Best Practices, and Standards
 

New York Department of Financial Services Relaxes Cybersecurity Proposal
On December 28, 2016, the New York Department of Financial Services ("DFS") released a revised version of a proposed regulation that would require banks, insurance companies, and other financial services institutions regulated by the DFS to adopt broad cybersecurity protections. The revised draft pushes back the effective dates and compliance deadlines, adds limited exemptions, narrows the requirement to notify the DFS of cybersecurity events, adds flexibility to the program's requirements, and narrows certain definitions, among other changes.
 
New York Attorney General Issues Consumer Alert on Major Data Breach
On December 15, 2016, New York Attorney General Eric Schneiderman issued a consumer alert urging all New Yorkers to take immediate steps to protect their personal information following a data breach of a major online search engine, which compromised the data of 500 million users. The press release notes that the Attorney General's office is communicating with the company regarding the circumstances of the breach and disclosure to law enforcement.
 
SEC OCIE Includes Cybersecurity in 2017 Examination Priorities
On January 12, 2017, the Security and Exchange Commission's ("SEC") Office of Compliance Inspections and Examinations ("OCIE") issued its 2017 examination priorities. These priorities represent practices, products, and services that the OCIE perceives to present potential heightened risks to investors or the markets. As part of its 2017 priorities, the OCIE stated that it would continue its initiative to "examine for cybersecurity compliance procedures and controls."
 
Report Shows Credit Card Fraud Shifts from In-Store to Online
On February 1, 2017, Javelin Strategy and Research reported that the use of stolen card data to pay for merchandise on websites, in mobile apps, and via telephone increased by 40 percent in 2016. In turn, this shift has forced retailers with online sales to enhance online security because the increased use of chip technology in credit cards reduced in-person fraud in retail stores, driving credit card fraud online.

Regulatory—Critical Infrastructure 
 

NIST Releases Guide to Help Organizations Recover from Cybersecurity Incidents
On December 22, 2016, the National Institute of Standards and Technology ("NIST") published the Guide for Cybersecurity Event Recovery to assist organizations in recovering from cybersecurity incidents. The guide consolidates existing NIST recovery guidance on incident handling and contingency planning and provides a process each organization can use to create its own comprehensive recovery plan. The publication supplies tactical and strategic guidance for developing, testing, and improving recovery plans, as well as examples of playbooks to handle data breaches and ransomware.
 
NIST Updates Cybersecurity Framework
On January 10, 2017, NIST released a draft update to its Framework for Improving Critical Infrastructure Cybersecurity. The update provides new details on managing cyber supply-chain risks, clarifies key terms, and introduces measurement methods for cybersecurity. The framework is intended to provide voluntary guidance to organizations to reduce cybersecurity risks.


Regulatory—Retail
 

FTC Settles Deceptive Consumer Tracking Charges with Digital Advertising Company
On December 20, 2016, the FTC settled with a digital advertising company regarding charges that the company deceived consumers by tracking them online and through mobile applications, even after consumers opted out of such tracking. According to the FTC complaint, the company's privacy policy represented that consumers could block targeted advertising by using their web browser's settings to block or limit cookies. However, the company tracked customers using unique identifiers even after the customers blocked or deleted cookies from websites. The settlement bars the company from misrepresenting the extent of its online tracking and requires an effective opt-out for consumers.

FTC Charges Network Equipment Manufacturer for Inadequate Router and Camera Security
On January 5, 2017, the FTC filed a complaint against a network devices manufacturer and its U.S. subsidiary, alleging that the company's inadequate security measures put consumers' privacy at risk. The FTC alleged that the company failed to take reasonable steps to secure its routers and internet protocol cameras, potentially compromising sensitive information, including live video and audio feeds and files stored on the routers' attached storage devices
.

FTC Report on Cross-Device Tracking
In January 2017, the FTC issued a Cross-Device Tracking Report assessing legal challenges associated with cross-device tracking and making recommendations on how to apply privacy and security principles to this new technology. The report outlines industry self-regulatory efforts and encourages companies involved in cross-device tracking to: (i) truthfully disclose tracking to consumers and business partners; (ii) offer consumers choices about how their cross-device activity is tracked; (iii) obtain consumers' affirmative express consent before engaging in cross-device tracking on sensitive topics and regarding geolocation information; and (iv) maintain reasonable security to avoid future unexpected and unauthorized uses of data.


Regulatory—Defense and National Security

Senate Armed Services Committee Creates New Cybersecurity Subcommittee
On January 18, 2017, Senate Armed Services Committee Chairman John McCain and Ranking Member Jack Reed announced that Senator Mike Rounds of South Dakota would chair a new Subcommittee on Cybersecurity. The new subcommittee was first announced on January 4, 2017, and will be tasked with oversight and legislation for policies and programs relating to the Defense Department's cyber forces and capabilities.
 
DHS Proposes Rule on Treatment of Controlled Unclassified Information
On January 19, 2017, the Department of Homeland Security ("DHS") issued a proposed rule that would apply the same requirements for safeguards to both contractors who run federal information systems and contractors who may obtain controlled unclassified information in the course of working with DHS. DHS also proposed two other rules relating to data security and privacy, one addressing privacy training for DHS contractors and one addressing information technology security awareness training for DHS contractors.

Regulatory—Transportation


DOT Issues Notice of Proposed Rulemaking and Privacy Impact Assessment on V2V Communications
On December 20, 2016, the Department of Transportation ("DOT") National Highway Traffic Safety Administration ("NHTSA") issued a Notice of Proposed Rulemaking and a Privacy Impact Assessment on Vehicle-to-Vehicle ("V2V") communications. In the document, NHTSA discusses how V2V systems will "contain multiple technical, physical, and organizational controls to help limit potential privacy impacts on consumers including those related to vehicle tracking by individuals and government or commercial entities." The proposed V2V system contains three primary components: (i) Basic Safety Messages ("BSMs"); (ii) a method for validating BSMs; and (iii) a communications network. The report also contemplates various privacy controls, including limited transmission radius, no BSM storage, and rotating security credentials.


Regulatory—Financial Services     

Financial Technology Industry Group Urges Bank Regulators to Tailor New Cybersecurity Rules to Risk
On January 19, 2017, several financial technology ("fintech") companies created a new industry group, the Consumer Financial Data Rights, to urge the Office of the Comptroller of the Currency, the Federal Reserve Board, and the FDIC to limit regulation of smaller fintech firms. The group aims to: (i) promote the rights of consumers to access and share their financial data and (ii) modify cybersecurity rules to reflect the size of the banking institution.


Regulatory—Health Care/HIPAA        
 

HHS Settles HIPAA Enforcement Action for Lack of Timely Breach Notification
On January 9, 2017, the Department of Health and Human Services ("HHS") settled an enforcement action with a hospital company for lack of timely breach notification. The Resolution Agreement requires that the company revise its existing policies and procedures, conduct training with its employees, and pay a $475,000 fine. HHS found that the company failed to provide timely written breach notifications to individuals whose protected health information had been compromised on multiple occasions.
 
Litigation, Judicial Rulings, and Agency Enforcements
 

Dating Site Settles with FTC and 13 States over 2015 Breach of 36 Million Users
On December 14, 2016, the FTC and 13 states settled charges with an online dating site regarding inadequate security measures that resulted in the 2015 breach of 36 million users' account, profile, and billing information. The settlement requires the defendants to implement a comprehensive data security program, including third party assessments, and pay $1.6 million to the FTC and states. The complaint alleges that the defendants misrepresented that they: (i) had taken reasonable steps to ensure that the site was secure; (ii) had received trusted security awards; and (iii) would delete consumer data upon utilization of a "full delete" service. 
 
Kansas Attorney General Sues Company for Failing to Protect Customer's Personal Information
On January 10, 2017, Kansas Attorney General Derek Schmidt filed a lawsuit in Kansas District Court against a document management company and two of its employees for failing to protect customers' personal information. According to the complaint, the company disposed of documents containing personal information, including Social Security numbers, in public trash receptacles. This case represents the first use of the Kansas Attorney General's enhanced data privacy enforcement powers under HB 2460, which was passed by the Kansas Legislature during the 2016 session.
 
Mississippi Attorney General Files Consumer Protection Act Complaint Against Internet Search Engine
On January 13, 2017, Mississippi Attorney General Jim Hood filed a complaint in Mississippi Chancery Court against an internet search engine alleging violations of Mississippi's Consumer Protection Act. The complaint asserts that the company collected personal information from students using its education portal and then used the data to create advertising profiles.
 
Ninth Circuit Ruling Applies Spokeo
On January 13, 2017, the Ninth Circuit vacated the lower court's decision to decertify a class and dismissed a plaintiff's case against a large furniture retailer, finding that the plaintiff failed to plead the concrete harm necessary under Spokeo for standing to bring suit. This case stemmed from allegations that the retailer illegally collected customer zip code data. The appellate panel based its decision on the plaintiff's own concession that she lacked standing in federal court because she had failed to allege more than a bare procedural violation.
 
Jury Awards $20+ Million in Telemarketing Class Action Trial
On January 19, 2017, a jury awarded $20.5 million in a class action lawsuit against a large satellite service provider. The plaintiffs in this case alleged the service provider made more than 51,000 unwanted telemarketing calls in violation of the Telephone Consumer Protection Act ("TCPA"). The jury awarded $400 for each unwanted call placed by the service provider. The case marks one of the first jury verdicts for a class of consumers alleging Do Not Call violations since the TCPA's enactment.
 
Ninth Circuit Says Employer Violated FCRA with Liability Waiver
On January 20, 2017, a Ninth Circuit panel reversed the dismissal of a putative class action, which alleged that a subsidiary of an oilfield services company violated the Fair Credit Reporting Act ("FCRA") by improperly placing a liability waiver on its job application disclosure form. The panel noted that the FCRA specifically requires companies to tell applicants if they intend to obtain their consumer report and allow them to refuse. In reversing and remanding the district court's decision, the panel held that the company had willfully violated the statute, subjecting the company to both statutory and punitive damages.
 
Seventh Circuit Affirms Dismissal of Class Action
On January 20, 2017, the Seventh Circuit affirmed the dismissal of a proposed class action against a large cable TV company, finding the plaintiff had no standing to bring suit under Spokeo. The plaintiff brought suit against the cable company for violation of the Cable Communications Policy Act for storing former customers' personal information. The Seventh Circuit held there was no evidence the company had released the personal information or that it planned to do so, and thus found no evidence of cognizable harm.
 
NY Attorney General Settles with Computer Manufacturer after Data Breach
On January 26, 2017, the New York Attorney General's office announced that a computer manufacturer would pay $115,000 in penalties and overhaul its cybersecurity practices after an ongoing data breach of its website exposed more than 35,000 credit card numbers. Security vulnerabilities found in the company's system included a debugging mode setting that saved all customer data in an unencrypted plain text form and a website misconfiguration that allowed unauthorized users to view and access information. The settlement also included multiple new security practices, including a designated employee to supervise the privacy and security of personal information, regular testing of safeguards, and annual trainings on data security.
 
Eighth Circuit Remands Data Breach Settlement to Reassess Class Certification
On February 1, 2017, the Eighth Circuit Court of Appeals remanded a customer data breach litigation to the District Court of Minnesota to further consider class certification. The Eighth Circuit based its decision on an alleged conflict of interest between the named representatives and the remainder of the class.
 
Television Manufacturer Settles with FTC and New Jersey Attorney General
On February 6, 2017, a global television manufacturer agreed to pay $2.2 million to the FTC and to the Office of the New Jersey Attorney General to settle charges that it installed software on its TVs to collect viewing data on 11 million consumer TVs without consumers' knowledge or consent. According to the complaint, the manufacturer offered a smart interactivity feature without informing consumers that the setting enabled the collection of viewing data. The complaint alleges that the undisclosed data tracking was unfair and deceptive, in violation of the FTC Act and New Jersey consumer protection laws.
 
Legislative—Federal        
 

House Hearing Explores Role of Internet-Connected Devices in Recent Cyberattacks
On November 16, 2016, the House Committee on Energy and Commerce held a hearing to address the cybersecurity vulnerabilities of internet-connected consumer devices. Representatives weighed cybersecurity experts' calls for increased regulation of the growing Internet of Things ("IoT") and evaluated the consequences of unsecured IoT devices on the public at large and the direct purchaser.
 
Congress Passes Legislation to Enhance Cybersecurity Cooperation with Israel
On December 16, 2016, the Senate passed the U.S.–Israel Advanced Research Partnership Act. The legislation authorizes the Science and Technology Directorate of the DHS to expand its cooperation agreements with Israel to include research to improve cybersecurity capability and preparedness. A similar bill, the U.S.–Israel Cybersecurity Cooperation Enhancement Act, was passed by the House of Representatives on January 31, 2017, and was referred to the Senate Committee on Homeland Security and Governmental Affairs. The bill seeks to establish a cybersecurity grant program under the DHS to support joint ventures between U.S. and Israeli businesses, nonprofits, academic institutions, and government agencies.
 
Senate Urges Companies to Address Cybersecurity Threats
On January 5, 2017, the Senate Armed Services Committee held a hearing titled "Foreign Cyber Threats to the United States" led by Senator John McCain. Top intelligence officials testified that private–public partnerships to address cybersecurity are essential, while noting also that U.S. companies should not wait for Congress to take action before developing their own preparedness to counter cyber-threats.
 
House Passes Email Privacy Act for Second Time
On February 6, 2017, the House of Representatives passed the Email Privacy Act, which requires the government to obtain a warrant before accessing stored electronic communications held by third-party service providers. This bill amends the Electronic Communications Privacy Act of 1986, under which emails that have been opened or are more than 180 days old are available with a subpoena. The same bill passed the House last year but did not pass the Senate before the end of the session.
 
Legislative—States


California and Illinois Data Breach Notification Amendments Take Effect
On January 1, 2017, amendments to the data breach notification laws in California and Illinois went into effect. California's amendment requires notification of a security breach when: (i) there is unauthorized acquisition of both encrypted personal information and the encryption key or security credential; and (ii) the business has a reasonable belief that the encryption key or security credential could render such personal information readable or useable. The Illinois amendment expands the definition of "personal information" to include medical and health insurance information, unique biometric information, and a username or email address in combination with a password or security question and answer to access an account. It also clarifies the encryption safe harbor provision, amends the notice requirements, creates requirements to maintain reasonable safeguards to protect information for Illinois residents, and exempts from certain compliance requirements entities that comply with certain federal statutes.
 
Massachusetts Allows Public Access to Data Breach Information
On January 3, 2017, the Massachusetts Office of Consumer Affairs and Business Regulation announced that it will make information about security breaches affecting Massachusetts citizens publicly available online, pursuant to an update to the state's public records law. Massachusetts joins California, Oregon, and Washington in allowing public access to data breach information.


Canada

Canadian Securities Administrators Issue Staff Notice on Cybersecurity Disclosures
On January 19, 2017, the Canadian Securities Administrators issued a staff notice to report the findings regarding issuers' disclosures of cybersecurity risks and cyberattacks. The notice also provided guidance on how issuers should approach disclosures of cybersecurity risks and incidents.

 

The following Jones Day lawyers contributed to this section: Jeremy Close, Jay Johnson, Lindsey Lonergan, Alexandra McDonald, Dan McLoon, Mary Alexander Myers, Mauricio Paez, Nicole Perry, Alexa Sendukas, John Sullivan, Anand Varadarajan, and Jenna Vilkin.

  

Latin America

 

Argentina  

Argentina Issues New Regulations on Personal Data Transfers
On November 16, 2016, the Personal Data Protection National Directorate (Dirección Nacional de Protección de Datos Personales or "DNPDP") issued new rules (source document in Spanish) for international transfers of personal data. The new regulation contains an official model for international data transfer agreements. Should parties wish to enter into agreements different from the model, these agreements must be approved by the DNPDP. The new rules also list the countries offering adequate levels of protection for the transfer of personal data.
 
Data Protection Authority Approves Guidelines for App Development
On December 1, 2016, the Argentinean Data Protection Authority issued a report (source document in Spanish) on amendments to the Data Protection Act, Law No. 25.326/2000. The report includes several proposals from the public, internet, businesses, and scholars. While Argentina's statute was recognized as adequate by the EU Commission, the Argentinean government decided to amend the law in light of new international regulations and developments in technology.

Brazil  

Special Commission Discusses Brazilian Personal Data Processing Bill
On December 7, 2016, a special parliamentary commission began to review a draft of the Personal Data Processing Bill No. 4060/2012 (source document in Portuguese). The bill, along with the Data Privacy Law No. 5276/2016, aims to protect individual rights as they relate to freedom, privacy, and intimacy in the processing of personal data.
 
Colombia  
 
National Database Registry Takes Effect
On November 8, 2016, the deadline to register Colombian databases in the National Database Registry ("NDR") expired. Part of the Personal Data Protection General Regime, the NDR (source document in Spanish) serves as a public directory of all databases in the country with information about data owners, data processors, and types of data processing. The NDR imposes various sanctions, including fines, suspension of activities, and temporary and definite closure of operations, on entities that are not registered in the database. The Superintendence of Industry and Commerce will operate the public registry and will allow access to both Colombians and foreign citizens.

Mexico

Mexico Enacts New Data Protection General Law
On January 26, 2017, the new General Law for the Protection of Personal Data held by Regulated Subjects (source document in Spanish) was published in the Federal Official Gazette (Diario Oficial de la Federación). The law regulates the processing of personal data by any authority or agency of the executive, legislative, or judicial branch of the government at the federal, state, and municipal level, as well as by all autonomous bodies, political parties, and public trusts and funds, for which there was no prior framework. Under the law, regulated subjects must implement privacy notices, document security policies, and establish procedures to ensure data owners' rights to access, rectify, or oppose the processing of their personal data by a regulated subject. The law also provides specific rules for domestic and international transfers of personal data between authorities. State congresses have six months to conform their current local laws to the national standards.
 
Mexican Data Protection Authorities Discuss International Data Protection Issues
On January 26 and 27, 2017, the National Institute for Transparency and Access to Information and Personal Data Protection (Instituto Nacional de Transparencia, Acceso a la Información y Protección de Datos Personales), together with local data protection agencies from the various states and Mexico City's Institute of Transparency, Access to Public Information, Personal Data Protection of Personal Data and Accountability (Instituto de Transparencia, Acceso a la Información Pública, Protección de Datos Personales y Rendición de Cuentas de la Ciudad de México), commemorated International Data Protection Day (source document in Spanish) by holding forums on personal data protection, privacy rights of "digital individuals," and challenges facing the implementation of the newly enacted General Law for the Protection of Personal Data Held by Regulated Subjects.

The following Jones Day lawyers contributed to this section: Daniel C. D'Agostini, Guillermo Larrea, and Mónica Peña Islas.

  

Europe                          

 

European Union        
 
ECJ Issues Judgment on National Data Retention
On December 21, 2016, the European Court of Justice ("ECJ") issued a judgment concerning national data retention laws, deciding that national data retention laws for fighting crime violate European Union law if they provide for the "general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication." It thus confirmed the opinion held by Tele2 and other telecoms carriers that such a broad national data retention law would violate EU law. This judgment can have far-reaching impacts on the applicability of other national data retention laws in Germany and other EU Member States. Even if the content of communication may not be retained, the Court confirmed that the retention of traffic and location data could nonetheless have an effect on the use of means of electronic communication and thus on users' exercise of their freedom of expression. The Court concluded that, under very strict conditions, national data retention laws may be justified. In particular, Member States may enact provisions that: (i) serve to fight serious crime, (ii) provide for targeted retention, and (iii) are strictly necessary. The retention order must be subject to court review, and the user must be notified as soon as the notification would no longer jeopardize the investigations. Retained data must stay within the EU.
 
European Commission Seeks to Improve EU's Data Economy
On January 10, 2017, the European Commission issued a press release regarding its proposed policy and legal solutions to expand the EU's data economy, as part of its Digital Single Market Strategy presented in May 2015. According to the Commission, in order to make the most of its data potential, the EU must address unjustified restrictions to the free movement of data across borders as well as several legal uncertainties. The Commission launched two public consultations and a debate with Member States and stakeholders to define next steps.
 
European Commission Pushes ePrivacy Regulation
On January 10, 2017, the European Commission published a statement regarding its proposal of high-level privacy rules for all electronic communications. The Commission published its proposal for an "ePrivacy Regulation," replacing the ePrivacy Directive, and new legislation to ensure stronger privacy and a higher level of data protection already imposed by the new General Data Protection Regulation ("GDPR"). The measures also aim to create new possibilities to process communication data and reinforce trust and security in the Digital Single Market, a key objective of the Digital Single Market Strategy. For more information on the proposal, please see Jones Day's Commentary.
 
Article 29 Working Party        
 
Working Party Seeks EU–U.S. Law Enforcement Umbrella Agreement
On October 26, 2016, the Article 29 Working Party welcomed an initiative to create a general data protection framework for EU–U.S. law enforcement cooperation. The Umbrella Agreement would complement existing EU–U.S. law enforcement agreements and create a data protection standard for future agreements concluded in this field. The Working Party believes that the Umbrella Agreement would strengthen safeguards in existing law enforcement bilateral treaties with the United States.
 
Working Party Releases Key Guidelines under GDPR
On December 13, 2016, the Article 29 Working Party published three sets of guidelines: Guidelines on Data Protection Officers, Guidelines on the Right to Data Portability, and Guidelines on the Lead Supervisory Authority. These guidelines were issued pursuant to the GDPR, and the Working Party noted that the guidelines were assembled using input from various stakeholders and consultations with national data protection authorities.
 
Working Party Adopts 2017 GDPR Action Plan
On January 3, 2017, the Article 29 Working Party adopted its Action Plan for 2017, which outlines new objectives and deliverables for the coming year and builds on 2016 priorities and topics. The key features of the 2017 Action Plan include producing guidelines on consent and profiling, transparency, data transfers to third countries, and data breach notifications.
 
European Data Protection Supervisor             
 
EDPS Issues Press Release on Control of Online Identities
On October 20, 2016, the European Data Protection Supervisor ("EDPS") published a press release discussing a system in which individuals, rather than online service providers, manage and control their online identity. The EDPS encouraged the Commission to support the development of innovative digital tools such as personal information management systems and take policy initiatives that inspire the development of economically viable business models to facilitate their use.
 
European Network and Information Security Agency  
 
ENISA Publishes Report on Cyber Insurance
On November 7, 2016, the European Network and Information Security Agency ("ENISA") issued a report on market advances in the cyber insurance sector. The report identifies significant cyber insurance developments over the past four years and discusses good practices and challenges during the early stages of the cyber insurance lifecycle, i.e., before an actual policy is signed, laying the foundation for future work in the area.
 
ENISA Releases National Cyber Security Strategy Guide
On November 14, 2016, ENISA published a National Cyber Security Strategy ("NCSS") Good Practice Guide to update the different steps, objectives, and practices from the original guide. The guide aims to support EU Member States in their efforts to develop and update their NCSS. The guide also provides specific insights for private, civil, and industry stakeholders involved in the lifecycle of the NCSS.
 
ENISA Issues Report on PETs Control Matrix
On December 20, 2016, ENISA published a report related to the Privacy Enhancing Technologies ("PETs") control matrix, which is an assessment framework and tool for the systematic presentation and evaluation of online and mobile privacy tools for end users. The document, based on research in the area of secure messaging applications as well as the testing of different privacy tools, draws key conclusions and makes recommendations to be considered by all involved stakeholders in the area of PETs.
 
ENISA Publishes Guidelines for SMEs on Security of Personal Data Processing
On January 27, 2017, ENISA issued guidelines for small and medium-sized enterprises ("SMEs") on the security of personal data processing. ENISA undertook a study to support SMEs on how to adopt security measures for the protection of personal data following a risk-based approach. In particular, the objectives of the study were to facilitate SMEs' understanding of personal data processing operations and assessing associated security risks.
 
Belgium        
 
Privacy Commission Finds Big Data Use by Telecommunications Operator Does Not Violate Law
On November 24, 2016, the Privacy Commission issued a press release (source document in French and Dutch) explaining that the use and third-party offering of anonymized location data by a telecommunications operator did not infringe the telecommunication law. The decision is subject to the conditions that the data is sufficiently aggregated and that underlying data is not used in the process.
 
Privacy Commission Reviews Impact Assessments under GDPR
On December 20, 2016, the Privacy Commission published for consultation (source document in French and in Dutch) a draft recommendation on the obligation to conduct impact assessments introduced by the GDPR. The review addresses the content of the assessment, the compulsory nature of impact assessments, and stakeholders involved the process.
 
France  
 
France Unveils Information System Security Plan in the Health Care Sector
On October 14, 2016, France's Ministry of Social Affairs and Health issued an instruction notice (source document in French) providing for the implementation of the "information systems security plan" for the health care sector. The plan is intended to ensure a harmonized minimum baseline level of cybersecurity for information systems of health care facilities, such as hospitals, biomedical laboratories, radiation therapy centers, and imaging and radiology public and private centers. For more information on the proposal, please see Jones Day's Alert.
 
France Moves Forward on Implementation of Cybersecurity Framework for Operators of Critical Infrastructures
On November 28, 2016, France's Secretary General for Defense and National Security, on behalf of the Prime Minister, adopted
four sector-specific orders. These orders (source document in French) aim to complete the information systems security plan applicable to the Operators of Critical Infrastructures in the finance, audiovisual and information, industry, and electronic communications and internet sectors.
 
New Law Requires Certificate of Compliance for Health Data Hosting Services
On January 12, 2017, France issued an ordinance (source document in French) modifying Article L. 1111-8 of the Public Health Code to require health data hosting services to obtain a certificate of compliance from the French Accreditation authority. In addition, when archiving such data, service providers will be required to obtain the approval of France's Ministry of Culture. This certification process will replace the current approvals given by the Minister of Health. The Conseil d'Etat will set forth the conditions for approval.
 
Minister of Interior Issues Audit Report on TES
On January 17, 2017, the Minister of the Interior published an audit report (source document in French) relating to the system security of the Secured Electronic Documents file ("TES"). Used by both the French National Cybersecurity Agency and the direction interministérielle du numérique et du système d'information et de communication de l'État (France's interministerial directorate on digital, information systems, and communication, or DINSIC), TES processes personal data related to identity cards and passports, including scanned fingerprints and scanned copies of signatures. Although the audit report notes that TES's security systems were adequate, it makes 11 improvement recommendations to ensure that the biometric identification purposes are properly implemented.
 
Germany        
 
Data Protection Authorities Discuss Issues with Health Data Processing
On December 5, 2016, seven German DPAs issued press releases (example press release (source document in German)), stating that none of the tested wearables, activity trackers, and fitness and health apps met data protection requirements. The DPAs tested 16 wearables and their respective apps, which were downloaded more than 30 million times. The privacy policies examined did not meet regulatory requirements, and the DPAs pointed out that sensitive health data is processed by third parties, used for marketing purposes, and shared with affiliates. In addition, users cannot purge their data, even if their devices are lost, stolen, or sold. The DPAs are researching ways to handle user complaints relating to this data processing.
 
German Federal Cabinet Adopts GDPR Implementation Bill
On February 1, 2017, the German Federal Cabinet adopted (source document in German) the revised Draft Implementation Bill of the Federal Ministry of Interior (source document in German) for the upcoming EU GDPR. The GDPR, while aimed at streamlining the data protection requirements for all EU Member States, contains opening clauses that allow Member States to deviate in some circumstances. The proposal for a new Federal Data Protection Act ("FDPA") provides details regarding the scope and implementation of existing GDPR provisions and implements additional data protection requirements from the current FDPA.
 
Bavarian Data Protection Commissioner Publishes Activity Report
On January 31, 2017, the Bavarian Data Protection Commissioner published an activity report for 2015–2016. The Commissioner focused on video surveillance activities in Bavaria and conducted a comprehensive review of the outsourcing activities of hospitals. The activity report also addresses concerns relating to wearables and health apps, smart water meters, and monitoring employees via GPS.

Italy  

DPA Renews General Authorizations
On December 15, 2016, the Italian Data Protection Authority ("DPA") renewed existing authorizations for the processing of the following: (i) sensitive data within employment relationships; (ii) data revealing health and sex life; (iii) sensitive data processed by associations and institutions; (iv) sensitive data processed by professionals; (v) sensitive data processed by banks and financial institutions; (vi) sensitive data processed by private investigators; (vii) judicial data processed by private individuals and public entities; (viii) genetic data; and (ix) personal data processed for purposes of scientific research. The general authorizations will be effective until May 24, 2018, when the GDPR will take effect.
 
DPA Bans Reputation Databases
On November 24, 2016, the Italian DPA issued a decision (source document in Italian) prohibiting a web platform and an IT archive from providing reputation ratings of individual businesspeople. The prohibited service aims to create ratings of suppliers, distributors, contractors, employees, and business partners by compiling and processing information uploaded by users and collected over the web. According to the decision, such massive collection and dissemination is detrimental to the dignity of individuals and is unreliable given the algorithm for compiling such ratings.

Spain        
 
Spanish DPA Analyzes Impact of New European Data Protection Regulation on SMEs
In January 2017, the Spanish DPA published new materials and resources designed to facilitate SMEs' adaptation to the new GDPR. Specifically, the DPA issued the Guide for Controllers to the Regulation, the Guide for Contracts between Controllers and Processors, and the Guide for Fulfilling the Duty to Inform (source documents in Spanish). These materials, built from the articles and opinions of the Article 29 Working Party, provide practical advice on the GDPR's scope and on how to ensure company compliance with the regulation.

Switzerland

Swiss–U.S. Privacy Shield Takes Effect
On January 11, 2017, the Swiss Federal Data Protection and Information Commissioner and the U.S. Department of Commerce finalized a new Swiss–U.S. Privacy Shield Framework ("Swiss Privacy Shield") that will allow companies to transfer Swiss personal data to the United States in compliance with Swiss data protection requirements. The Swiss Privacy Shield will replace the U.S.–Swiss Safe Harbor Framework, which was declared inadequate, and will adopt requirements almost identical to those incorporated in the EU–U.S. Privacy Shield. For more information on the proposal, please see Jones Day's Commentary.
 
The Netherlands        
 
Legislative Proposal on Intelligence and Security Services
On November 1, 2016, the Dutch government submitted a proposal (source document in Dutch) to update legislation regarding intelligence and security services in response to technological developments in the area of telecommunications, Wi-Fi networks, and the use of messaging apps. The intelligence and security services will be monitored by an independent commission. According to the Dutch government, a privacy impact assessment was prepared during the preparation of the proposal, and feedback was incorporated accordingly.
 
Sportswear Company Ends Privacy Violations
On November 8, 2016, the Dutch DPA announced that a sportswear company's fitness app no longer violated the Dutch data protection act. During an earlier investigation, the DPA concluded that the company had not provided its users with sufficient information on the use of health data transmitted through the app, nor had it determined retention periods for this data. Such data included running distances, calories burned, user location, and other metrics such as a user's gender, height, and weight. The DPA announced that the company began to request the data subject's consent and allowed the data subjects to minimize the specificity of their health data. In addition, the company encrypted all running data from inactive users of the older app versions to ensure that health data was not used for analytical purposes.
 
DPA Reviews First Year under Data Leaks Reporting Obligation Act
On December 28, 2016, the DPA published an analysis (source document in Dutch) of data breaches notified in 2016. Between January 1, 2016, and December 15, 2016, a total of 5,500 data breaches were notified to the DPA under the Data Leaks Reporting Obligation Act. Most of the notifications stem from the health care sector, financial sector, and governmental organizations. The most common cause of data breaches involved receipt by a person other than the intended addressee of messages containing personal data and stolen or lost USB flash drives and laptops.
 
United Kingdom        
 
UK Investigatory Powers Act Takes Effect
On December 30, 2016, the Investigatory Powers Act 2016 came into force. The Act sets out how investigatory powers may interfere with privacy and "abolishes and restricts various general powers to obtain communications data and restricts the circumstances in which equipment interference, and certain requests about the interception of communications, can take place."
 
UK ICO Seeks to Fine Charities for Data Misuse
On January 30, 2017, the Information Commissioner's Office ("ICO") gave notice to 11 UK charities threatening fines for breaches of the UK Data Protection Act. The charities have 28 days to respond. The notices come as part of ICO's wider review of the use of personal data by charities and concerns about media reports of pressure on supporters to contribute donations.
 
ICO Warns UK Companies about Legal Risks of Selling Marketing Lists
On February 2, 2017, the ICO fined a UK company £20,000 for unlawfully trading personal information, stressing that any sale of personal information must be "clear and open." Specifically, the ICO noted that a common form of wording used in website terms ("we may share your information with carefully selected third parties where they are offering products or services that we believe will be of interest to you") was overly general and nonspecific.

The following Jones Day lawyers contributed to this section: Paloma Bru, Laurent De Muyter, Marina Foncuberta, Olivier Haas, Jörg Hladjk, Bastiaan Kout, Matthijs Lagas, Jonathon Little, Martin Lotz, Giuseppe Mezzapesa, Hatziri Minaudier, Selma Olthof, Audrey Paquet, Elizabeth Robertson, Rhys Thomas, and Undine von Diemar.

 

Asia

 

People's Republic of China        
 
China Releases Cybersecurity Law
On November 7, 2016, the Standing Committee of the National People's Congress released the Cybersecurity Law, which will become effective on June 1, 2017. The law introduces a number of new provisions and makes substantive amendments to the previous draft, such as tightening regulatory requirements imposed on network service providers and operators, and clarifying reporting obligations.
 
Research Center and Think Tank Release Report on China's Personal Information Security and Privacy Protection
On November 21, 2016, the Internet Law Research Center of China Youth Politics Institute and Fengmian Think Tank jointly released the first domestic report (source article in Chinese) regarding China's personal information security and privacy protection. The report was based on survey data on personal information security and privacy protection in China.
 
Hong Kong        
 
PCPD Charges Bank for Using Personal Data in Direct Marketing
On January 10, 2017, the Eastern Magistrates' Court convicted a bank for failing to comply with a customer's request to stop using his personal data in direct marketing. Pursuant to Section 35G(3) of the Personal Data Privacy Ordinance, a company receiving a customer request to cease use of personal data in direct marketing must comply with the request without charge. Failure to comply is punishable by a fine of up to HK$500,000 and imprisonment of up to three years. The bank pled guilty to the charge and paid a fine of HK$10,000.
 
PCPD Urges IoT Manufacturers to Enhance Transparency of Privacy Protection Measures
On January 24, 2017, the Office of the Privacy Commissioner for Personal Data, Hong Kong ("PCPD") reported a general lack of awareness among Internet of Things ("IoT") device manufacturers regarding communicating privacy and security protection measures to consumers. The report stems from a study conducted by PCPD to explore the privacy challenges and implications brought by fitness bands and their apps. The PCPD urged manufacturers engaged in the development of IoT devices to improve their privacy communications so that consumers can assess the privacy impact and take necessary steps to protect their personal data.
 
Japan        
 
Personal Information Protection Commission Releases Guidelines Regarding Amended Personal Information Protection Act
On November 10, 2016, after a review of public comments, the Personal Information Protection Commission released Guidelines Concerning Personal Information Protection Act (General Rules) (source document in Japanese). On the same date, the Commission also released a set of specific guidelines, including: (i) guidelines regarding the provision of personal data to a foreign third party; (ii) guidelines regarding verification and recording obligations related to the transfer of data to third parties; and (iii) guidelines regarding de-identified information (all source documents in Japanese). Companies are advised to review their internal handling of personal information and the relevant internal rules in light of these guidelines, which will provide practical guidance to measures that companies will need to take pursuant to the Act.
 
Amended Personal Information Protection Act Takes Effect in May 2017
On December 20, 2016, the Cabinet decided to fully bring into force the Amended Act on the Protection of Personal Information.
 
Personal Information Protection Commission Releases Draft Guidelines Regarding Health Care Sector for Public Comments
On January 31, 2017, the Personal Information Protection Commission released draft guidelines concerning the Personal Information Protection Act for the health care sector (source document in Japanese) for public comments. The draft discusses proper handling of personal information for medical and long-term-care business operators.
 
Supreme Court Rules on Request for Removal of Search Results
On January 31, 2017, the Japanese Supreme Court issued a decision (source document in Japanese) dismissing an individual's request to remove search results from an online search engine. In reaching its decision, the Supreme Court set a balancing test weighing the individual's legal interest and the potential harm to the individual against the public interest and needs for such facts to be published. The Supreme Court affirmed the lower court's decision to dismiss the individual's claim because the facts were related to public interest and because the search results were not widely disseminated.
 
Personal Information Protection Commission Releases Guidelines Regarding Data Breach Responses
On February 16, 2017, after a review of public comments, the Personal Information Protection Commission released Guidelines Concerning Reponses, Etc. in Case of Data Breaches (source document in Japanese). The guidelines set recommended measures to be taken in response to data breaches.
 
Personal Information Protection Commission Releases Guidelines Regarding Financial Sector
On February 28, 2017, after a review of public comments, the Personal Information Protection Commission released four guidelines concerning the Personal Information Protection Act for the financial sector, namely, (i) Guidelines Concerning Personal Information Protection in the Financial Sector, (ii) Practical Guidelines Concerning Security Measures for Personal Information Protection in the Financial Sector, (iii) Guidelines Concerning Personal Information Protection in the Credit Sector, and (iv) Guidelines Concerning Personal Information Protection in the Debt-Collection Sector (all source documents in Japanese).

Singapore        
 
PDPC Assesses Penalties Against Wine Company and Site Developer for Violations of Data Protection Act
On December 23, 2016, Singapore's Personal Data Protection Commission ("PDPC") found that a wine company and its website developer failed to make reasonable security arrangements to prevent the unauthorized access of customers' personal data. The wine company was ordered to conduct a security audit and patch website vulnerabilities. The Commission imposed a financial penalty of S$5,000 on the wine company and a financial penalty of S$3,000 on the site developer for violating the Personal Data Protection Act of 2012.
 
PDPC Assesses Penalty against Real Estate Agency for Failure to Secure Personal Data
On January 25, 2017, the PDPC ruled that a real estate agency failed to make reasonable security arrangements to prevent the unauthorized access of personal data stored online, and failed to cease storing documents containing personal data on its system until a security scan had been conducted. The Commission imposed a financial penalty of S$10,000 for violating the Personal Data Protection Act of 2012.
 
PDPC Fines Restaurant Operator for Breach of Protection Obligations
On January 25, 2017, the PDPC held that a restaurant operator group failed to secure its membership portal from unauthorized access to the individuals' personal data. The PDPC noted that personal data of members was accessible through a simple search on the organization's website. The company will pay S$10,000 for its conduct.

The following Jones Day lawyers contributed to this section: Michiru Takahashi, Li-Jung Huang, and Richard Zeng.

 

Australia

 

Australian Privacy and Information Commissioner Releases 2015–2016 Annual Report
On September 27, 2016, the Australian Information Commissioner released its annual report for July 2015 to June 2016. During this time frame, the Commissioner conducted 17 Commissioner-initiated investigations, received 2,128 privacy complaints, managed 107 data breaches that were voluntarily notified to the Commissioner, and conducted 21 assessments of the privacy practices of businesses and Australian government agencies. The Commissioner made a formal determination under the Australian Privacy Act in seven investigations.
 
Federal Court Rules on Individual's Right to Metadata
On January 19, 2017, the Federal Court of Australia ruled on an individual's right to access account metadata from a telecommunications provider. The case stems from an individual's request to a telecommunications provider to access the metadata retained by the company regarding his account. The court ruled that the telecommunications provider did not have an obligation to provide an individual with metadata that was not "about" the individual, such as mobile phone network data recording IP address, URL information, cell tower location information, incoming call records, or billing information of incoming callers.
 
Australia Adopts Mandatory Data Breach Notification Law
On February 13, 2017, the Australian Privacy and Information Commissioner announced a new mandatory data breach notification scheme in Australia. The Privacy Amendment (Notifiable Data Breaches) Bill 2016 "will require government agencies and businesses covered by the Privacy Act to notify any individuals affected by a data breach that is likely to result in serious harm." The Office of the Information Commissioner will work with agencies and businesses to implement the bill in the coming months, as an exact commencement date has not been set.

The following Jones Day lawyers contributed to this section: Adam Salter and Nicola Walker.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Jones Day | Attorney Advertising

Written by:

Jones Day
Contact
more
less

Jones Day on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide

JD Supra Privacy Policy

Updated: May 25, 2018:

JD Supra is a legal publishing service that connects experts and their content with broader audiences of professionals, journalists and associations.

This Privacy Policy describes how JD Supra, LLC ("JD Supra" or "we," "us," or "our") collects, uses and shares personal data collected from visitors to our website (located at www.jdsupra.com) (our "Website") who view only publicly-available content as well as subscribers to our services (such as our email digests or author tools)(our "Services"). By using our Website and registering for one of our Services, you are agreeing to the terms of this Privacy Policy.

Please note that if you subscribe to one of our Services, you can make choices about how we collect, use and share your information through our Privacy Center under the "My Account" dashboard (available if you are logged into your JD Supra account).

Collection of Information

Registration Information. When you register with JD Supra for our Website and Services, either as an author or as a subscriber, you will be asked to provide identifying information to create your JD Supra account ("Registration Data"), such as your:

  • Email
  • First Name
  • Last Name
  • Company Name
  • Company Industry
  • Title
  • Country

Other Information: We also collect other information you may voluntarily provide. This may include content you provide for publication. We may also receive your communications with others through our Website and Services (such as contacting an author through our Website) or communications directly with us (such as through email, feedback or other forms or social media). If you are a subscribed user, we will also collect your user preferences, such as the types of articles you would like to read.

Information from third parties (such as, from your employer or LinkedIn): We may also receive information about you from third party sources. For example, your employer may provide your information to us, such as in connection with an article submitted by your employer for publication. If you choose to use LinkedIn to subscribe to our Website and Services, we also collect information related to your LinkedIn account and profile.

Your interactions with our Website and Services: As is true of most websites, we gather certain information automatically. This information includes IP addresses, browser type, Internet service provider (ISP), referring/exit pages, operating system, date/time stamp and clickstream data. We use this information to analyze trends, to administer the Website and our Services, to improve the content and performance of our Website and Services, and to track users' movements around the site. We may also link this automatically-collected data to personal information, for example, to inform authors about who has read their articles. Some of this data is collected through information sent by your web browser. We also use cookies and other tracking technologies to collect this information. To learn more about cookies and other tracking technologies that JD Supra may use on our Website and Services please see our "Cookies Guide" page.

How do we use this information?

We use the information and data we collect principally in order to provide our Website and Services. More specifically, we may use your personal information to:

  • Operate our Website and Services and publish content;
  • Distribute content to you in accordance with your preferences as well as to provide other notifications to you (for example, updates about our policies and terms);
  • Measure readership and usage of the Website and Services;
  • Communicate with you regarding your questions and requests;
  • Authenticate users and to provide for the safety and security of our Website and Services;
  • Conduct research and similar activities to improve our Website and Services; and
  • Comply with our legal and regulatory responsibilities and to enforce our rights.

How is your information shared?

  • Content and other public information (such as an author profile) is shared on our Website and Services, including via email digests and social media feeds, and is accessible to the general public.
  • If you choose to use our Website and Services to communicate directly with a company or individual, such communication may be shared accordingly.
  • Readership information is provided to publishing law firms and authors of content to give them insight into their readership and to help them to improve their content.
  • Our Website may offer you the opportunity to share information through our Website, such as through Facebook's "Like" or Twitter's "Tweet" button. We offer this functionality to help generate interest in our Website and content and to permit you to recommend content to your contacts. You should be aware that sharing through such functionality may result in information being collected by the applicable social media network and possibly being made publicly available (for example, through a search engine). Any such information collection would be subject to such third party social media network's privacy policy.
  • Your information may also be shared to parties who support our business, such as professional advisors as well as web-hosting providers, analytics providers and other information technology providers.
  • Any court, governmental authority, law enforcement agency or other third party where we believe disclosure is necessary to comply with a legal or regulatory obligation, or otherwise to protect our rights, the rights of any third party or individuals' personal safety, or to detect, prevent, or otherwise address fraud, security or safety issues.
  • To our affiliated entities and in connection with the sale, assignment or other transfer of our company or our business.

How We Protect Your Information

JD Supra takes reasonable and appropriate precautions to insure that user information is protected from loss, misuse and unauthorized access, disclosure, alteration and destruction. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. You should keep in mind that no Internet transmission is ever 100% secure or error-free. Where you use log-in credentials (usernames, passwords) on our Website, please remember that it is your responsibility to safeguard them. If you believe that your log-in credentials have been compromised, please contact us at privacy@jdsupra.com.

Children's Information

Our Website and Services are not directed at children under the age of 16 and we do not knowingly collect personal information from children under the age of 16 through our Website and/or Services. If you have reason to believe that a child under the age of 16 has provided personal information to us, please contact us, and we will endeavor to delete that information from our databases.

Links to Other Websites

Our Website and Services may contain links to other websites. The operators of such other websites may collect information about you, including through cookies or other technologies. If you are using our Website or Services and click a link to another site, you will leave our Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We are not responsible for the data collection and use practices of such other sites. This Policy applies solely to the information collected in connection with your use of our Website and Services and does not apply to any practices conducted offline or in connection with any other websites.

Information for EU and Swiss Residents

JD Supra's principal place of business is in the United States. By subscribing to our website, you expressly consent to your information being processed in the United States.

  • Our Legal Basis for Processing: Generally, we rely on our legitimate interests in order to process your personal information. For example, we rely on this legal ground if we use your personal information to manage your Registration Data and administer our relationship with you; to deliver our Website and Services; understand and improve our Website and Services; report reader analytics to our authors; to personalize your experience on our Website and Services; and where necessary to protect or defend our or another's rights or property, or to detect, prevent, or otherwise address fraud, security, safety or privacy issues. Please see Article 6(1)(f) of the E.U. General Data Protection Regulation ("GDPR") In addition, there may be other situations where other grounds for processing may exist, such as where processing is a result of legal requirements (GDPR Article 6(1)(c)) or for reasons of public interest (GDPR Article 6(1)(e)). Please see the "Your Rights" section of this Privacy Policy immediately below for more information about how you may request that we limit or refrain from processing your personal information.
  • Your Rights
    • Right of Access/Portability: You can ask to review details about the information we hold about you and how that information has been used and disclosed. Note that we may request to verify your identification before fulfilling your request. You can also request that your personal information is provided to you in a commonly used electronic format so that you can share it with other organizations.
    • Right to Correct Information: You may ask that we make corrections to any information we hold, if you believe such correction to be necessary.
    • Right to Restrict Our Processing or Erasure of Information: You also have the right in certain circumstances to ask us to restrict processing of your personal information or to erase your personal information. Where you have consented to our use of your personal information, you can withdraw your consent at any time.

You can make a request to exercise any of these rights by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

You can also manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard.

We will make all practical efforts to respect your wishes. There may be times, however, where we are not able to fulfill your request, for example, if applicable law prohibits our compliance. Please note that JD Supra does not use "automatic decision making" or "profiling" as those terms are defined in the GDPR.

  • Timeframe for retaining your personal information: We will retain your personal information in a form that identifies you only for as long as it serves the purpose(s) for which it was initially collected as stated in this Privacy Policy, or subsequently authorized. We may continue processing your personal information for longer periods, but only for the time and to the extent such processing reasonably serves the purposes of archiving in the public interest, journalism, literature and art, scientific or historical research and statistical analysis, and subject to the protection of this Privacy Policy. For example, if you are an author, your personal information may continue to be published in connection with your article indefinitely. When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it, or, if this is not possible (for example, because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
  • Onward Transfer to Third Parties: As noted in the "How We Share Your Data" Section above, JD Supra may share your information with third parties. When JD Supra discloses your personal information to third parties, we have ensured that such third parties have either certified under the EU-U.S. or Swiss Privacy Shield Framework and will process all personal data received from EU member states/Switzerland in reliance on the applicable Privacy Shield Framework or that they have been subjected to strict contractual provisions in their contract with us to guarantee an adequate level of data protection for your data.

California Privacy Rights

Pursuant to Section 1798.83 of the California Civil Code, our customers who are California residents have the right to request certain information regarding our disclosure of personal information to third parties for their direct marketing purposes.

You can make a request for this information by emailing us at privacy@jdsupra.com or by writing to us at:

Privacy Officer
JD Supra, LLC
10 Liberty Ship Way, Suite 300
Sausalito, California 94965

Some browsers have incorporated a Do Not Track (DNT) feature. These features, when turned on, send a signal that you prefer that the website you are visiting not collect and use data regarding your online searching and browsing activities. As there is not yet a common understanding on how to interpret the DNT signal, we currently do not respond to DNT signals on our site.

Access/Correct/Update/Delete Personal Information

For non-EU/Swiss residents, if you would like to know what personal information we have about you, you can send an e-mail to privacy@jdsupra.com. We will be in contact with you (by mail or otherwise) to verify your identity and provide you the information you request. We will respond within 30 days to your request for access to your personal information. In some cases, we may not be able to remove your personal information, in which case we will let you know if we are unable to do so and why. If you would like to correct or update your personal information, you can manage your profile and subscriptions through our Privacy Center under the "My Account" dashboard. If you would like to delete your account or remove your information from our Website and Services, send an e-mail to privacy@jdsupra.com.

Changes in Our Privacy Policy

We reserve the right to change this Privacy Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our Privacy Policy will become effective upon posting of the revised policy on the Website. By continuing to use our Website and Services following such changes, you will be deemed to have agreed to such changes.

Contacting JD Supra

If you have any questions about this Privacy Policy, the practices of this site, your dealings with our Website or Services, or if you would like to change any of the information you have provided to us, please contact us at: privacy@jdsupra.com.

JD Supra Cookie Guide

As with many websites, JD Supra's website (located at www.jdsupra.com) (our "Website") and our services (such as our email article digests)(our "Services") use a standard technology called a "cookie" and other similar technologies (such as, pixels and web beacons), which are small data files that are transferred to your computer when you use our Website and Services. These technologies automatically identify your browser whenever you interact with our Website and Services.

How We Use Cookies and Other Tracking Technologies

We use cookies and other tracking technologies to:

  1. Improve the user experience on our Website and Services;
  2. Store the authorization token that users receive when they login to the private areas of our Website. This token is specific to a user's login session and requires a valid username and password to obtain. It is required to access the user's profile information, subscriptions, and analytics;
  3. Track anonymous site usage; and
  4. Permit connectivity with social media networks to permit content sharing.

There are different types of cookies and other technologies used our Website, notably:

  • "Session cookies" - These cookies only last as long as your online session, and disappear from your computer or device when you close your browser (like Internet Explorer, Google Chrome or Safari).
  • "Persistent cookies" - These cookies stay on your computer or device after your browser has been closed and last for a time specified in the cookie. We use persistent cookies when we need to know who you are for more than one browsing session. For example, we use them to remember your preferences for the next time you visit.
  • "Web Beacons/Pixels" - Some of our web pages and emails may also contain small electronic images known as web beacons, clear GIFs or single-pixel GIFs. These images are placed on a web page or email and typically work in conjunction with cookies to collect data. We use these images to identify our users and user behavior, such as counting the number of users who have visited a web page or acted upon one of our email digests.

JD Supra Cookies. We place our own cookies on your computer to track certain information about you while you are using our Website and Services. For example, we place a session cookie on your computer each time you visit our Website. We use these cookies to allow you to log-in to your subscriber account. In addition, through these cookies we are able to collect information about how you use the Website, including what browser you may be using, your IP address, and the URL address you came from upon visiting our Website and the URL you next visit (even if those URLs are not on our Website). We also utilize email web beacons to monitor whether our emails are being delivered and read. We also use these tools to help deliver reader analytics to our authors to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

Analytics/Performance Cookies. JD Supra also uses the following analytic tools to help us analyze the performance of our Website and Services as well as how visitors use our Website and Services:

  • HubSpot - For more information about HubSpot cookies, please visit legal.hubspot.com/privacy-policy.
  • New Relic - For more information on New Relic cookies, please visit www.newrelic.com/privacy.
  • Google Analytics - For more information on Google Analytics cookies, visit www.google.com/policies. To opt-out of being tracked by Google Analytics across all websites visit http://tools.google.com/dlpage/gaoptout. This will allow you to download and install a Google Analytics cookie-free web browser.

Facebook, Twitter and other Social Network Cookies. Our content pages allow you to share content appearing on our Website and Services to your social media accounts through the "Like," "Tweet," or similar buttons displayed on such pages. To accomplish this Service, we embed code that such third party social networks provide and that we do not control. These buttons know that you are logged in to your social network account and therefore such social networks could also know that you are viewing the JD Supra Website.

Controlling and Deleting Cookies

If you would like to change how a browser uses cookies, including blocking or deleting cookies from the JD Supra Website and Services you can do so by changing the settings in your web browser. To control cookies, most browsers allow you to either accept or reject all cookies, only accept certain types of cookies, or prompt you every time a site wishes to save a cookie. It's also easy to delete cookies that are already saved on your device by a browser.

The processes for controlling and deleting cookies vary depending on which browser you use. To find out how to do so with a particular browser, you can use your browser's "Help" function or alternatively, you can visit http://www.aboutcookies.org which explains, step-by-step, how to control and delete cookies in most browsers.

Updates to This Policy

We may update this cookie policy and our Privacy Policy from time-to-time, particularly as technology changes. You can always check this page for the latest version. We may also notify you of changes to our privacy policy by email.

Contacting JD Supra

If you have any questions about how we use cookies and other tracking technologies, please contact us at: privacy@jdsupra.com.

- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.